For more than a decade, Russian hackers have tormented the country’s neighbors, bombarding Estonian websites with junk traffic and even triggering blackouts in Ukraine. As long as Russia has kept those relentless, disruptive cyberattacks within its own region, the West has mostly turned a blind eye. But as the US seeks to head off any digital meddling in its own upcoming election, the State Department is trying something different: Calling out Russia for a broad-scale act of digital sabotage that hit the country of Georgia last fall.
State Department officials today issued a statement blaming the Russian military intelligence agency known as the GRU for cyberattacks that hit Georgia in October. The onslaught took down or defaced thousands of websites, and even disrupted the broadcasts of two television stations. Specifically, administration officials tell WIRED that US and allied intelligence agencies have attributed the assault to the GRU’s Main Center for Special Technology, or GTsST, which the State Department also explicitly linked for the first time in its statement to the notorious Russian hacker group known as Sandworm. The US had previously tied that same group to the destructive NotPetya worm that spread from Ukraine in 2017, causing $10 billion in damage, and the Olympic Destroyer malware that sabotaged the 2018 Winter Olympics in Pyeongchang. The statement will echo findings released by Georgia’s own security services today, and US officials say they expect confirmations from multiple other governments to follow.
“It’s important to draw a line in the sand and say, no, this is not OK. It’s not OK in the West, and it’s not OK in the near abroad,” said a senior administration official who spoke to WIRED under condition of anonymity because he wasn’t authorized to speak on the record. That phrase, “near abroad,” is an English translation of a term commonly used by Russians to refer to post-Soviet states on its borders. “This just continues the pattern of fairly reckless GRU cyberoperations that, from our understanding, are intended to sow division, create insecurity, and undermine democratic institutions. Failing to call out such activity when it’s observed and attributed risks creating a norm of inaction, a systemic risk of not acknowledging to the world that these types of behaviors are unacceptable.”
The cyberattack that hit Georgia on October 28 appears to have focused largely on hosting providers Pro-Service and Serv.ge. Pro-Service wrote in a statement following the attack that 15,000 customers were affected. “One of the largest cyberattacks on the cyberspace of Georgia [began] at dawn,” the company posted on its web on the day the hack took place.
“It hit everybody: critical media, government authorities, private websites,” says Nana Aburdjanidze, executive director of the Georgian news channel TV Pirveli. “It was massive.”
On many of the affected websites, the hackers used their access to Pro-Service’s systems to post an image of former Georgian president Mikheil Saakashvili—who was indicted in absentia on charges of corruption after leaving the country in 2013—along with the words “I’ll be back” written across a Georgian flag. “We couldn’t take it down or do anything,” says Aburdjanidze. “It was crazy and annoying. It wasn’t a pleasant feeling, for sure.”
In what appears to have been a separate attack on the same day, the hackers also disrupted the broadcasts of two television channels, Imedi and Maestro. “The network is paralyzed, we can’t get any signal, we can’t go on air, we can’t use our editing computers,” wrote Irakli Chikhladze, Imedi’s head of news, in a Georgian-language Facebook post that day. “Working to get back on the air soon!”
Georgia has a long history of conflict with Russia, both physical and digital. In 2008, Russia invaded the country with the supposed intention of protecting Russian-speaking minorities, seizing around 20 percent of Georgia’s territory, which it still controls. That physical incursion was accompanied by a wave of relatively crude cyberattacks that defaced and took down Georgian websites, the first clear example in history of a “hybrid” war involving physical and digital attacks in combination. (While the Russian government was never proven to be behind those cyberattacks, one website that helped to coordinate them, StopGeorgia.ru, was hosted at an IP address that belonged to a company headquartered next to a GRU-connected military research institute.)